The Department of Defense Patch Repository recently reached an agreement that permits active DOD military and civilian employees to utilize antivirus software at home for personal use, thus decreasing the risk of employees bringing malware back to work and potentially endangering networks. Furthermore, this provides cost savings opportunities as one single enterprise solution can manage RMF documentation for IT systems.
Antivirus Software License Agreement
The Department of Defense Antivirus Software License Agreement allows both military and civilian personnel of the Department to use antivirus products on their personal computers to help minimize the risk of employees bringing malware logic into work systems and compromise DOD networks. DOD works with companies like McAfee and Symantec to enable employees to download free antivirus products for personal computers; additionally, this software can also protect family computers against potential malicious content.
Customer agrees to protect the Software using security measures similar to those employed to safeguard its own proprietary information. Customer will not disclose it to any third parties except as expressly allowed under this Agreement or as agreed in writing between Parties; use by government agencies must comply with all laws, regulations and executive orders in force at that time.
1.1 Installation and Use
Your license rights allow for one copy of this Software to be installed and utilized on Devices as permitted. As it is a utility that may cause irreversible changes to devices it runs on, we strongly advise backing up regularly with suitable backup methods before running this Software and complying with all local, federal, and international rules, regulations, laws, statutes and ordinances when using it.
1.2 Mandatory Activation, If Appropriate
It is mandatory that you activate your licensed copy of Software either during setup sequence or within 30 days after installing this Software on devices. Otherwise, your license rights will lapse and this software must be uninstalled immediately from devices.
1.3 Disclaimers and Limitations
The Software and Documentation are provided “AS IS,” without warranties of any kind expressed or implied, including warranties of merchantability, fitness for a particular purpose, lack of viruses and workmanlike effort. Unless expressly granted in the Limited Warranty clause below, this Agreement does not confer You with any right to support or other services related to the Software.
DISA
DISA, managed by the Department of Defense combat support agency, oversees IT for military use. Their goal is to ensure secure and timely information capabilities are available to U.S. forces; their duties include global information networks, advanced technological solutions delivery and protecting against cyber threats.
DISA not only offers information technology services, but it also supports the global information grid (GIG). Through various contract vehicles it offers telecom products and services; its computing services portfolio includes mainframe hosting, application monitoring, server hosting and virtualization as well as mainframe virtualization.
DISA ensures the security of its information systems by mandating all devices and software comply with guidelines laid out in its STIGs. These regulations help prevent data breaches and cybersecurity incidents while mitigating vulnerabilities within software and networks that range from those which present significant exploitation risk to those which compromise systemic security overall.
STIG compliance is mandatory for software that interacts with DoD networks and systems, such as vendors working with DISA to develop an STIG that balances functionality with security; however, this process is both time-consuming and expensive. Furthermore, knowing which vulnerabilities are critical and how best to address them is also key for effective STIG compliance.
Compliance with DISA security requirements presents its own set of challenges, one being updating IT systems and applications on an ongoing basis. This can be an immense task when new software replaces old programs with different settings or replaces them altogether, but automated tools exist that make this process more straightforward and less time-consuming.
PhaseWare’s Klocwork static analysis tool enforces coding rules and flags violations automatically, complete with code security taxonomies and an extensive framework of rule enforcement and interpretation. By using this tool, it allows you to easily verify whether your software meets DISA security requirements without incurring penalties or incurring extra costs of compliance – not to mention providing comprehensive reports about its security vulnerabilities! For more information, visit our Klocwork page.
Security Requirements Guide
The Security Requirements Guide (SRG) serves as a common set of processes and tools for DoD to authorize information technology systems for use on its networks, while simultaneously realizing cost savings through commercial off-the-shelf software (COTS). As it evolves as an evolving policy tool, its public review must continue so as to meet DoD needs.
The Cyber Security Requirements Group (CC SRG) defines the necessary security controls and authorization process for DoD components, application/system owners/operators and information owners who utilize Cloud Service Offerings (CSOs) hosted by non-DoD Cloud Service Providers or in DoD enclaves. In addition, it serves as a central knowledge repository that enables DoD personnel to leverage COTS software while supporting an RMF approach in managing an IT system’s lifecycle.
Defense Digital Service’s Strategic Resource Group (SRG) allows it to record configurations, conduct assessments and validate compliance with ESS working groups and communities of practice in an organized fashion, while mitigating vulnerabilities on DoD networks and information systems with repeatable processes – including flaw remediation capabilities – through repeatable processes. Furthermore, using the DDS SRG provides an efficient means for testing new ESS functionality without impacting operational environments – meeting strategic requirements while adhering to rigid standards that decrease exposure risk.